EU member states were required to transpose into local law Directive (EU) 2016/943 on trade secrets by June 2019. Most member states, including, for example, the UK, Hungary, Belgium, Poland and Slovakia, have already done so. Germany did so by implementing the German Trade Secrets Act (TSA). The major change under the TSA is that legal protection is now provided alongside the contractual protection that already exists under non-disclosure agreements (NDAs), provided that the owner has implemented adequate protective measures (such as an NDA).

Conclusion: It is extremely important that companies check existing confidentiality obligations imposed on employees and NDAs concluded with other organizations to make sure their trade secrets are protected under the TSA. You are invited to attend our free webinar on June 25, 2019 for more details.

On April 5, 2019, the German data protection authorities (German DPAs) published guidance on the applicability of the German Telemedia Act to telemedia services – including, as an example, the use of website cookies for targeted advertising post GDPR. The guidance aims to clarify and concretize a previous statement on the topic released by the German DPAs in April 2018 and to serve as guidance for the implementation of data protection requirements when processing users’ data through telemedia services.

Also in April, the DPA of Baden-Württemberg published FAQs on the use of cookies and other tracking tools.

The German DPAs confirm their previously published views and, as a key statement, point out that the consent of data subjects will be required for most tracking tools as such tools are outside the scope of the user’s expectations. Therefore “legitimate interests” cannot be used as a legal basis for such processing activities.

Conclusion: The general views of the German DPAs, and, in particular, the detailed requirements set out in the guidance with regard to cookie banners and consent tools, have received criticism on both legal and practical grounds. However, online service providers should carefully assess whether the tools they implement on their websites or in their apps actually require consent.

The German DPAs have again commented on the operation of Facebook fan pages in a statement of April 1, 2019 (more on the previous statements in our blog). According to the German DPAs the "Page Insights Controller Addendum" does not meet the requirements for a joint controller agreement under Art. 26 GDPR.

The German DPAs expect Facebook to improve and the operators of fan pages to meet their responsibilities, and they conclude their statement by saying that “As long as these obligations are not fulfilled, a fan page cannot be operated in compliance with data protection laws.”

Conclusion: The German DPAs provide a clear view on the current status of Facebook fan pages, but, unfortunately, fail to provide any solutions. Organizations should further monitor the developments carry out a risk assessment if they want to continue to operate their fan page. Organizations have not yet collectively deleted their Facebook fan pages.

On May 12, 2019, the German newspaper Welt Am Sonntag published statistics on fines imposed by the German DPAs under the GDPR. The German DPAs have imposed a total of 81 fines since May 2018. The fines have ranged from a few hundred euros to five-digit amounts, and have so far totaled €485,490.

Conclusion: The supervisory authorities are becoming more active with regard to fines, in both Germany and the rest of Europe, imposing, for example, a fine of €2 million in Italy for telemarketing without consent and a fine of €400,000 in France for inadequate security measures and retention periods.

Based on recent judgments of courts in Germany (Karlsruhe Regional Court, judgment of March 21, 2019, docket no. 13 O 38/18 KfH; Braunschweig Court of Appeals, court order of January 8, 2019, docket no. 2 U 89/18; and Munich Regional Court I, judgment of April 29, 2019, docket no. 4 HK O 14312/18), there is a tendency for German courts to consider all posts by influencers as commercial content that must therefore be labeled as advertising. In those judgments, the courts have taken the view that influencer posts promote either the business interests of organizations that are tagged or whose products are depicted, or, where this is not the case, at least the influencer’s own business interests.

Those judgments are, however, inconsistent with regard to the questions of whether there is room for influencer posts to qualify as editorial content and whether the commercial nature is apparent from the circumstances so that there is no need for any further labeling.

Conclusion: Influencers and organizations that engage in influencer marketing should carefully follow further case law, at least until the German Supreme Court has the opportunity to create more legal certainty or until the legislator clearly regulates the labeling requirements. See our client alert for more details.

6. German Supreme Court once again refers a question on copyright infringement by framing to CJEU

The European Court of Justice (CJEU) has to deal with the issue of framing once again. In its decision of April 25, 2019 (docket no. I ZR 113/18), the German Supreme Court referred to the CJEU the question of whether a collecting society may require a user to take effective technical measures against framing within the framework of a license agreement. In its judgment of June 18, 2018 (docket no. 24 U 146/17), the Berlin Court of Appeals had previously declared such a clause invalid (more on this judgment on our blog).

Conclusion: It remains to be seen whether the CJEU will echo its judgment of January 14, 2014 in the BestWater case (Case C-348/13) by again ruling that such use is not covered under copyright law. The consequence would be that the collecting society would be unable to contractually oblige users to take technical measures against framing.

The Berlin Regional Court (judgment of March 21, 2019, docket no. 52 O 243/18) has decided that no additional costs may be charged for the use of a payment method that falls under the SEPA Regulation (Regulation (EU) No. 260/2012) (see Section 270a of the German Civil Code). This prohibition extends beyond payment cards and SEPA transfers and direct debits, to cover payment methods such as Giropay or Pay now with online banking (Sofortüberweisung) (see also Munich Regional Court I (judgment of December 13, 2018 – docket no. 17 HK O 7439/18)). Further it is also prohibited to grant lower prices with regard to a specific payment method if a payment method under the SEPA Regulation would be more expensive as a result.

Conclusion: e-commerce players must check whether the payment methods provided for under the SEPA Regulation are offered free of charge and adjust their pricing if necessary.

8. Austrian DPA rules that it is not possible to give consent to unencrypted emails

In addition to raising several objections to the consent form used by the company concerned – a day clinic, in its administrative decision of November 16, 2018, docket no. DSB D213.692/0001 DSB/2018, the Austrian DPA concluded that it is not possible to deviate from the obligation of encrypted transmission of emails pursuant to Art. 32 GDPR by means of consent. It follows, from the reasoning in the decision, that this finding is not limited to special categories of personal data.

Conclusion: Data controllers who still use unencrypted email should consider this decision.

9. Munich Regional Court I: No right of re-publication of positive reviews

In its judgment of April 16, 2019 (docket no. 33 O 6880/18), Munich Regional Court I ruled that a dentist had no right to re-publish deleted, positive reviews originally published on a medical rating portal, as the deletion had taken place lawfully. In the opinion of the court, the deletions had only been made to maintain the portal’s standards of quality and not to cause distress to the dentist. By following its review process, which consisted of both automated and written assessments, as well as subsequent contact with the authors of the reviews (further details were not disclosed), the portal had made a decision to delete on legitimate grounds. By contrast, the dentist could not sufficiently prove the validity of the reviews in dispute.

Conclusion: Platform providers are required to implement and record effective validation processes. However, details of the processes do not need to be disclosed as they constitute trade secrets.

In its judgment of June 5, 2019 (Case C 142/18), the CJEU ruled that a software-based VoIP service that allows the user to call a fixed or mobile number covered by a national numbering plan via the public switched telephone network of an EU member state constitutes an “electronic communications service” within the meaning of the EU Framework Directive 2002/21/EC. In a further judgment of June 13, 2019 (Case C 193/18), the CJEU found that a web-based email service that does not itself provide Internet access does not constitute an "electronic communications service".